[PATCHES] fix "net rpc oldjoin" (bug #13149)
Jeremy Allison
jra at samba.org
Fri Nov 17 21:51:06 UTC 2017
On Fri, Nov 17, 2017 at 04:08:47PM +0100, Stefan Metzmacher via samba-technical wrote:
> Hi,
>
> here're patches to fix "net rpc oldjoin" and add a regression
> test.
>
> Please review and push:-)
OK, I get what's going on here now (took me a while :-).
RB+ and pushed. Thanks Metze !
> From db6cece45d2e197434c0ce93c9aa5cd98d51a3a4 Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Fri, 17 Nov 2017 15:51:36 +0100
> Subject: [PATCH 1/2] s3:selftest: add samba3.blackbox.net_rpc_oldjoin test
>
> This demonstrates that "net rpc oldjoin" is currently broken.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
> selftest/knownfail.d/oldjoin | 1 +
> source3/script/tests/test_net_rpc_oldjoin.sh | 32 ++++++++++++++++++++++++++++
> source3/selftest/tests.py | 4 ++++
> 3 files changed, 37 insertions(+)
> create mode 100644 selftest/knownfail.d/oldjoin
> create mode 100755 source3/script/tests/test_net_rpc_oldjoin.sh
>
> diff --git a/selftest/knownfail.d/oldjoin b/selftest/knownfail.d/oldjoin
> new file mode 100644
> index 0000000..86fca85
> --- /dev/null
> +++ b/selftest/knownfail.d/oldjoin
> @@ -0,0 +1 @@
> +^samba3.blackbox.net_rpc_oldjoin.net.*
> diff --git a/source3/script/tests/test_net_rpc_oldjoin.sh b/source3/script/tests/test_net_rpc_oldjoin.sh
> new file mode 100755
> index 0000000..070fcc1
> --- /dev/null
> +++ b/source3/script/tests/test_net_rpc_oldjoin.sh
> @@ -0,0 +1,32 @@
> +#!/bin/sh
> +
> +if [ $# -lt 3 ]; then
> +cat <<EOF
> +Usage: test_net_rpc_oldjoin.sh SERVER PREFIX SMB_CONF_PATH
> +EOF
> +exit 1;
> +fi
> +
> +SERVER="$1"
> +PREFIX="$2"
> +SMB_CONF_PATH="$3"
> +shift 3
> +
> +incdir=`dirname $0`/../../../testprogs/blackbox
> +. $incdir/subunit.sh
> +maccount="OLDJOINTEST"
> +privatedir="$PREFIX/private"
> +
> +UID_WRAPPER_ROOT=1
> +export UID_WRAPPER_ROOT
> +
> +OPTIONS="--configfile $SMB_CONF_PATH --option=netbiosname=$maccount --option=security=domain --option=domainlogons=no --option=privatedir=$privatedir"
> +
> +testit "mkdir -p $privatedir" mkdir -p $privatedir || failed=`expr $failed + 1`
> +testit "smbpasswd -a -m" $VALGRIND $BINDIR/smbpasswd -L -c $SMB_CONF_PATH -a -m "$maccount" || failed=`expr $failed + 1`
> +testit "net_rpc_oldjoin" $VALGRIND $BINDIR/net rpc oldjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1`
> +testit "net_rpc_testjoin1" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1`
> +testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S $SERVER $OPTIONS || failed=`expr $failed + 1`
> +testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1`
> +
> +testok $0 $failed
> diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
> index 5b12355..3e5cffd 100755
> --- a/source3/selftest/tests.py
> +++ b/source3/selftest/tests.py
> @@ -588,6 +588,10 @@ plantestsuite("samba3.blackbox.net_rpc_join", "nt4_dc",
> [os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"),
> "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join",
> configuration])
> +plantestsuite("samba3.blackbox.net_rpc_oldjoin", "nt4_dc:local",
> + [os.path.join(samba3srcdir, "script/tests/test_net_rpc_oldjoin.sh"),
> + "$SERVER", "$PREFIX/net_rpc_oldjoin",
> + "$SMB_CONF_PATH"])
>
> plantestsuite("samba3.blackbox.rpcclient_srvsvc", "simpleserver",
> [os.path.join(samba3srcdir, "script/tests/test_rpcclientsrvsvc.sh"),
> --
> 1.9.1
>
>
> From b146c0c7c6d99cc30376503b8d8153d46196371e Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 16 Nov 2017 21:09:20 +0000
> Subject: [PATCH 2/2] libnet_join: fix "net rpc oldjoin"
>
> We need to open the ncacn_np (smb) transport connection with
> anonymous credentials.
>
> In order to do netr_ServerPasswordSet*() we need to
> establish a 2nd netlogon connection using dcerpc schannel
> authentication.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
> selftest/knownfail.d/oldjoin | 1 -
> source3/libnet/libnet_join.c | 53 +++++++++++++++++++++++++++++++++++++-------
> 2 files changed, 45 insertions(+), 9 deletions(-)
> delete mode 100644 selftest/knownfail.d/oldjoin
>
> diff --git a/selftest/knownfail.d/oldjoin b/selftest/knownfail.d/oldjoin
> deleted file mode 100644
> index 86fca85..0000000
> --- a/selftest/knownfail.d/oldjoin
> +++ /dev/null
> @@ -1 +0,0 @@
> -^samba3.blackbox.net_rpc_oldjoin.net.*
> diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
> index eb6b894..0595cfe 100644
> --- a/source3/libnet/libnet_join.c
> +++ b/source3/libnet/libnet_join.c
> @@ -1044,12 +1044,23 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
> NTSTATUS status, result;
> union lsa_PolicyInformation *info = NULL;
> struct dcerpc_binding_handle *b;
> + const char *account = r->in.admin_account;
> + const char *domain = r->in.admin_domain;
> + const char *password = r->in.admin_password;
> + bool use_kerberos = r->in.use_kerberos;
> +
> + if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) {
> + account = "";
> + domain = "";
> + password = NULL;
> + use_kerberos = false;
> + }
>
> status = libnet_join_connect_dc_ipc(r->in.dc_name,
> - r->in.admin_account,
> - r->in.admin_domain,
> - r->in.admin_password,
> - r->in.use_kerberos,
> + account,
> + domain,
> + password,
> + use_kerberos,
> cli);
> if (!NT_STATUS_IS_OK(status)) {
> goto done;
> @@ -1121,16 +1132,19 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> struct cli_state *cli)
> {
> TALLOC_CTX *frame = talloc_stackframe();
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> + struct rpc_pipe_client *authenticate_pipe = NULL;
> + struct rpc_pipe_client *passwordset_pipe = NULL;
> struct cli_credentials *cli_creds;
> struct netlogon_creds_cli_context *netlogon_creds = NULL;
> + struct netlogon_creds_CredentialState *creds = NULL;
> + uint32_t netlogon_flags = 0;
> size_t len = 0;
> bool ok;
> DATA_BLOB new_trust_blob = data_blob_null;
> NTSTATUS status;
>
> status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
> - &netlogon_pipe);
> + &authenticate_pipe);
> if (!NT_STATUS_IS_OK(status)) {
> TALLOC_FREE(frame);
> return status;
> @@ -1167,7 +1181,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> CRED_SPECIFIED);
>
> status = rpccli_create_netlogon_creds_ctx(
> - cli_creds, netlogon_pipe->desthost, r->in.msg_ctx,
> + cli_creds, authenticate_pipe->desthost, r->in.msg_ctx,
> frame, &netlogon_creds);
> if (!NT_STATUS_IS_OK(status)) {
> TALLOC_FREE(frame);
> @@ -1182,6 +1196,29 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> return status;
> }
>
> + status = netlogon_creds_cli_get(netlogon_creds, frame, &creds);
> + if (!NT_STATUS_IS_OK(status)) {
> + TALLOC_FREE(frame);
> + return status;
> + }
> +
> + netlogon_flags = creds->negotiate_flags;
> + TALLOC_FREE(creds);
> +
> + if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
> + status = cli_rpc_pipe_open_schannel_with_creds(cli,
> + &ndr_table_netlogon,
> + NCACN_NP,
> + netlogon_creds,
> + &passwordset_pipe);
> + if (!NT_STATUS_IS_OK(status)) {
> + TALLOC_FREE(frame);
> + return status;
> + }
> + } else {
> + passwordset_pipe = authenticate_pipe;
> + }
> +
> len = strlen(r->in.machine_password);
> ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16,
> r->in.machine_password, len,
> @@ -1197,7 +1234,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
> }
>
> status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
> - netlogon_pipe->binding_handle,
> + passwordset_pipe->binding_handle,
> &new_trust_blob,
> NULL); /* new_version */
> if (!NT_STATUS_IS_OK(status)) {
> --
> 1.9.1
>
More information about the samba-technical
mailing list